Pedestal Software Security Notice

From: Keith Woodard (kwoodard@PEDESTALSOFTWARE.COM)
Date: 01/03/03

  • Next message: Jan Rutkowski: "Another way to bypass Integrity Protection Driver ('subst' vuln)" 
    Date:         Fri, 3 Jan 2003 14:39:01 -0500
From: Keith Woodard <kwoodard@PEDESTALSOFTWARE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Product: Integrity Protection Driver (IPD)
    Version: 1.3 and earlier
    Subject: New Integrity Protection Driver (IPD) Available
    Date: January 3, 2003
    Solution: Upgrade to version 1.4

    SUMMARY

        The Integrity Protection Driver (IPD) is an open source kernel
        driver for Windows NT and Windows 2000 that attempts to provide
        integrity to the Windows kernel by blocking kernel-altering
        device drivers, such as rootkits, from changing normal kernel
        function.

        A new version of the IPD has been released that corrects a
        vulnerability that circumvents the driver's protection.

        More information about the IPD, including its open source license,
        can be found at:

            http://www.pedestalsoftware.com/intact/ipd

    DETAILS

        Phrack 59-16 provides sample code for circumventing the IPD using
        a kernel function, NtCreateSymbolicLinkObject and mapping a new
        name to \Device\PhysicalMemory. This specific use of
        NtCreateSymbolicLinkObject was fixed in version 1.3 of the
        IPD. However, Jan Rutkowski recently discovered that the same
        function can be used to map a directory to a drive letter through
        the use of the subst command. This could be used by a malicious
        user to circumvent IPD's protection of driver files.

    PATCH AVAILABILITY

        Users of the IPD are urged to upgrade to the latest version.

        The latest driver and source code may be downloaded from the
        Pedestal Software web site at
        http://www.pedestalsoftware.com/intact/ipd.

    CREDITS

        Thanks to Jan Rutkowski <jkrutkowski@elka.pw.edu.pl> for
        telling us about this new vulnerability.

        Phrack 59-16 by crazylord <crazylord@minithins.net>
        http://www.phrack.org/show.php?p=59&a=16

    ABOUT PEDESTAL SOFTWARE

        Founded in 1998, Pedestal Software is "enabling the next wave of
        information security" by making the deployment, management, audit,
        and control of a security policy efficient and cost effective.
        The company is privately held and maintains its headquarters in
        Newton, Massachusetts. For additional information, please visit
        http://www.pedestalsoftware.com or contact us at (617) 928-5550.

    DISCLAIMER

        Pedestal Software is not responsible for the misuse of any of the
        information provided on this website and/or through security
        advisories. This advisory is a service to Pedestal Software
        customers intended to promote secure installation and use of
        Pedestal Software products.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by Prometric - More than testing, learning.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    http://www.prometric.com

    Prometric, part of The Thomson Corporation, is the leader in
    technology-enabled testing and assessment services for information
    technology certification, academic admissions, professional licensure and
    certifications, computer-based driver's licensing, and corporate testing.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo